We’re using Apache mod_unique_id to pass in request IDs to our Rails app with the directive: RequestHeader set X-Request-Id “%{UNIQUE_ID}e”. However, ActionDispatch::RequestId#make_request_id uses a regex to remove characters that aren’t within a specified character class. The relevant excerpt is pasted below:
def make_request_id(request_id) if request_id.presence request_id.gsub(/[^\w-]/, “”.freeze).first(255) else internal_request_id end end
``
Unfortunately for Apache users, mod_unique_id uses characters in the class [\w-@]. An excerpt from the module’s “Theory” section:
The
UNIQUE_IDenvironment variable is constructed by encoding the 144-bit (32-bit IP address, 32 bit pid, 32 bit time stamp, 16 bit counter, 32 bit thread index) quadruple using the alphabet[A-Za-z0-9@-]in a manner similar to MIME base64 encoding, producing 24 characters. The MIME base64 alphabet is actually[A-Za-z0-9+/]however+and/need to be specially encoded in URLs, which makes them less desirable
My first inclination is to simply request an expansion of the character class used to include the at symbol, but I’m wondering what the reason behind restricting the request ID to [\w-] was in the first place? Should it be more permissive in general? If not, it seems reasonable to include the at symbol, given that it is required by a very common web server implementation.